Monday, July 6, 2015

Snort++ Alpha 2 Available Now!

The second alpha release of Snort++ is now available on snort.org, and it includes a lot of new features and functionality:

Snort features:

sync with Snort 297-177

ported dns inspector

ported ssh and ssl inspector

ported smtp, pop, and imap inspectors

ported sip inspector

ported file processing

New features:

added publish-subscribe handling of inspection events

added data_log plugin example for pub-sub

added build of snort_manual.text if w3m is installed

added file_magic.lua

added socket DAQ to input payload only with flow tuple

added hext DAQ to for packet input in hex and plain text

added file DAQ for plain file input (w/o packets)

added socket codec for use with above DAQs

added stream_user for payload only processing

added stream_file for file inspection and processing

added usage, bugs, and DAQ sections to user manual

added default_snort_manual.text w/o w3m

rewrote alert_csv with all new default format

changed stream_tcp to reassemble payload only

optionally omit ports or networks and ports in rule headers

updated new_http_inspect

rule protocols include services (like http) and file

allow abbreviated rule headers (omit networks and/or ports)

uncrustify, see crusty.cfg

The Snort++ project is gaining momentum. With new developers coming on board we will finish porting all of Snort's functionality in the next few months. Here are some things to look for in the third alpha release:

port open appID

port dcerpc2 inspector

port modbus and dnp3 inspectors

port side channel and HA functionality

rewrite of stream_tcp for greater functionality and performance

rewrite of perf stats

pipelined packet processing

hardware offloading support

next generation DAQ

next generation unified logging

Windows support

New downloads are posted to snort.org monthly. You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.